Outstanding issues
Russell Fulton
r.fulton at auckland.ac.nz
Mon Sep 25 17:26:50 EDT 2006
Carter Bullard wrote:
> Hey Russell,
> Well, the only thing that chroot() will prevent us from doing is
> reopening a down interface, or re-reading the system configuration
> file, if we set the signals to do the right thing. I can live with that,
> but it is not at all desirable.
The ability to chroot should be an option. If you choose to chroot then
there are certain consequences. This is exactly the same as snort. If
you run chroot you can not signal snort to re-read the conf for example
and you get an error if you try.
>
> DO NOT ask us to chroot(), then read the system configuration file.
> That would be stretching it quite a bit I think. We don't know which
> interface to open until we've read the configuration file, so thats right
> out.
Absolutely.
This is not for everyone. It is for those of us who run big open
networks with large amounts of externally sourced traffic floating
around our internal networks. (We have over 100 externally visible web
servers scattered across our internal network -- do a scan of our
network on port 80 and the packets will be seen by all of my sensors.
Same goes for POP and IMAP and probably FTP).
Cheers, Russell
More information about the argus
mailing list